Overview

The Framework menu includes the settings which are the key configuration areas of the system. From editing your risk matrix, to configuring the fields, you can access the Framework menu from the top Menu Navigation icon dropdown.

Risk Settings provides users with the ability to adjust various settings used for Strategic, Operational, Project, and Corporate risks. It comprises a range of screens which can be utilised by the Risk Manager or Administrator using static permission structure or any user with necessary permissions under the flexible permission structure to define variables and criteria utilised in the risk assessment process.

To access the settings page, go to Menu > Framework > Risk Settings.

The following can be configured using 'Risk Settings':

Tab Name

Purpose

Initial Settings

Configure various system options.

Criteria

Enable users to set up the calculations for Initial, Current and Future risk assessments.

Rating Type

Allows definition of risk ratings based on your risk matrix.

Calculations

Enable users to set up the calculations for Initial, Current and Future risk assessments.

Categories

Define categories for enhanced filtering, analysis and reporting.

Treatment

Setup different risk treatment types.

Sequence

Setup an automatic numbering system for risk assessments.

Custom Controls

Edit various fields within the Risk Review tab.

Risk Review CommentaryEnable and update the risk review related commentary fields  

Consequence Table

Setup a consequence reference grid.

Likelihood Table

Setup a likelihood reference grid.

Risk Templates

Define templates to save time when creating large numbers of assessments.

Legislation and Business Process

Define legislations and business processes which can be linked to risks.

Field ConfigurationCustomise the fields which are made visible within the different phases of risk assessments.

Register Configuration 

Customise the fields and filters which are made visible within the different registers of risk types 

Review Frequency


Setup custom frequencies which can be used for email notifications and alerts.


Custom Lists

Customise the dropdown list available in the Risk Fields area.

Heatmap Settings Enable the Heatmap Dashboard tab in Risk Analysis 


Initial Settings

This settings page enables you to turn on/off key settings. This includes using the Future (sometimes called Target) Risk Assessment to setup your risk solution.

  • Activate/Deactivate Future risk assessments: Tick the 'Future Assessment' tick box to record Future or target projections for your organisation’s risks. Upon selection an additional tab will be visible in the assessment page for your risks.

After ticking or unticking (activating or deactivating) a row item, ensure you click the 'Update' button to save your selection.


Criteria

Risk Criteria

This settings page lets you define your risk criteria and its values such as likelihood and consequence/impact, which will be used when completing a risk assessment. Each option within the criteria requires an associated value that is later used to determine the risk score (see details under the ‘Calculations’ setting).

  • STEP 1: Select the 'Criteria' tab.

  • STEP 2: To define a new criteria record, enter a name, a short code and a description. This description will display when users hover their cursor over this in the risk assessment area where the selection for this criteria record will be made.
  • STEP 3: Under Visibility, select the assessment phases for which risk rating calculations the criteria should be used. For example, Likelihood and Consequence are often used for initial assessments, whereas Effectiveness of Controls is also often used in the current assessment (along with Likelihood and Consequence) when completing a review.

Note: While the 'Making the criteria non-compulsory' setting is ON, If the visibility of criteria is configured for a specific risk assessment stage and the same criteria is not used under the calculation configuration, the criteria is shown as an optional field in the user's rating grid.

  • STEP 4: The Sort field indicates the positioning of the Risk Criteria in the available assessment phases. If two or more fields have the same ‘Sort’ value, they will appear in alphabetical order.
Note: If the Sort value is given as 1, then the Risk Criteria field will display in the X-axis in the heat map grid. And if the Sort value is given as 2, then the field will display in the Y-axis on the heat map.
  • STEP 5: Click the 'Add' button to save.

  • STEP 6: To edit an existing item, click on the 'Edit' button. Click the 'Update' button to save details, or click the 'Cancel' button to cancel any changes.


When a Risk Criteria record is saved, the name turns into a hyperlink which can be clicked to navigate directly to its Risk Criteria Rating screen.

Note: Use the adjacent buttons to Edit or Delete a saved record. You will not be allowed to delete a value if there are linked risks to it. Hence please make sure to remove all linkages from within the risk prior to deleting a criteria value.


Risk Criteria Rating

Here you can define multiple risk criteria ratings with corresponding values and descriptions. Ensure you know how to configure these values accurately as they, along with the formulas entered in the Risk Calculations area, determine how your risk ratings are generated. If you are unsure how to enter these, use the default values provided by Camms.

  • STEP 1: To define a risk criteria rating, firstly click on the hyperlink to the criteria values that you want to enter.

You will be taken into the value items. To add a new item, enter a name, value and a rating description to the bottom row.

  • STEP 2: Click the 'Add' button at the bottom once you have entered in a new item.
  • STEP 3: You can also decide between Ascending and Descending for the display order of the values and this will be used in any area where the criteria values are shown in the application to determine the order in which they are shown.
  • STEP 4: To edit an item, click on the 'Edit' button. Once you are done editing, click the 'Update' button.
  • STEP 5: Click the 'Save' button to save any changes made or click the ‘Cancel' button to cancel any changes.
Note: Use the adjacent 'Edit' button or 'Delete' button to delete a saved record.


Risk Appetite Benchmark

The Appetite Benchmark values against each category can be defined here if the feature is enabled for you. 

  • STEP 1: To define a new criteria record, enter a name and a numerical value for the criteria which will be the benchmark. This value will be used to determine the appetite rating comparison with the risk score for the risk. Click on add to save.
  • STEP 2: To edit an existing item, click on the 'Edit' button. Once edited the record, click on the 'Update' button.

Note: Use the adjacent 'Edit' button to edit or 'Delete' button to delete a saved record. You will not be allowed to delete a value if there are linked risks to it. Hence please make sure to remove all linkages from within the risk prior to deleting a criteria value.

See article Risk Appetite Configuration for more details.


Rating Type

This settings page lets you define the list of rating values for the risk, control, and risk appetite areas, along with  the image, colour (to be used in graphs and charts), and sequence. Additionally, review/control frequency may be added to determine the automatic population of  review frequency based on rating values. 

Note: The review frequency is applicable only when the 'Update Frequency based on the Risk Rating' setting is enabled within the 'Review Frequency' field under Risk Settings > Field Configurations > [Risk Type] > Risk Review > Review Frequency.

  • STEP 1: Click the 'Rating Type' tab. There are two options available to select from the dropdown 'Select Screen Type' and you can set up the risk ratings for your risk assessments as well as control ratings for your control assessments from here. Either option would behave in the same manner as explained below.
  • STEP 2: To define a rating, enter a name and associate an image with it which will be used throughout the system.
  • STEP 3: Click on one image to make your selection.
  • STEP 4: To upload a new image, click 'Browse' to look for a file on your computer. Make sure you use a small but high-quality picture.
  • STEP 5: Click 'Select' to confirm your choice.
    To change the image, simply click on the image and repeat the previous steps 3-6.
    You can set the colour for your rating type. This colour will be used to represent the rating in graphs and charts.
  • STEP 6: Select a colour for the rating by clicking on the colour palette and then clicking on one of the colours available.

  • STEP 7: Click Closeto exit the palette.
  • STEP 8: Enter a sequence number which will determine the order in which the rating will appear in dropdown lists throughout the system.
  • STEP 9: Enter a frequency value to determine the automatic population of the risk review frequency based on the selection of the risk rating value for a risk in the current risk assessment.
    Note: This is applicable only when the 'Update Frequency based on the Risk Rating' setting is enabled within the 'Review Frequency' field under Risk Settings > Field Configurations > [Risk Type] > Risk Review > Review Frequency. In the case of controls, this will determine the control frequency value.
  • STEP 10: Click the 'Add' button to add it to the table.
Note: Use the adjacent 'Edit' button or 'Delete' button to delete a saved record.


Calculations

This settings page lets you define the formula calculation for the risk rating and determine the appropriate minimum and maximum range for each rating. The operators and criteria codes captured in the criteria menu are listed below and can be used to define the formula (e.g. (L*C), (L+C)). Use L = Likelihood, C = Consequence along with standard mathematical operators: +, -, *, /, ().

  •  STEP 1: Click the 'Calculations' tab.

Each phase of your assessment can be setup to calculate its risk rating in a different way. The tabs in this area will allow you to select the available phases which you can define risk rating calculations for

The grid displays rows for each risk rating record you defined in the risk rating area.

  • STEP 2: Specify a formula using the 'Formula Syntax'.

Only the operators and criteria options in the Formula Syntax can be entered into the risk rating Formula but you may enter numerical figures within your formulae. 

  • STEP 3: Click the 'Edit' button to modify any minimum and maximum values present.

You must make sure that there are no gaps between the maximum values of a rating and the minimum value of the next highest rating. This will ensure that any combination of Risk Criteria will generate a Risk Rating.

  • STEP 4: Click the 'Update' button to update values.
  • STEP 5: Click the 'Save' button at the top to save all changed details.
Notes: 
  • While the 'Making the criteria non-compulsory' setting is ON, If the visibility of criteria is configured for a specific risk assessment stage and the same criteria is not used under the calculation configuration, the criteria is shown as an optional field in the user's rating grid.

  • There is no validation of the risk rating formula if the calculation results in a rating above or below the minimum and maximum values of the respective risk ratings. If a risk rating does not appear in an assessment after the correct fields have been selected and the assessment is saved, the risk rating formula must be adjusted.

If you are unsure of how to enter a formula, use the default formula provided by Camms.

Click on any additional phase tabs and repeat the above steps if you want to define different formulas for the calculation of their risk ratings.

Note: Use the adjacent 'Edit' button or 'Delete' button to delete a saved record.


Categories

Define the risk categories and sub categories to be displayed in the respective risk type. The Identification categories are populated in the category drop down, and the Consequence categories are used when selecting the consequence/impact of a risk.  Additionally, you may add an appetite benchmark value if this is activated.

  • STEP 1: Click the 'Categories' tab.

  • STEP 2: Type in a name and description in the text boxes provided.
  • STEP 3: Click the 'Add' button to save details.

Additionally, you can define sub categories by expanding the main risk category (using the expand icon).

  • STEP 4: Type in a name and description for the sub category (if applicable).
  • STEP 5: Click the 'Add' button to save details.
  • STEP 6: By using the Risk Identification area you can map Risk categories to different risk types for identification. Only the selected categories will appear within the risk detail screen (primary category/secondary category dropdowns).

  • STEP 7: By Clicking the Risk 'Consequence checkbox' it will define a risk category as a consequence category for the risk type. Only the selected categories for the risk type will be displayed in the consequence table in end user’s view.

  • STEP 8: By Clicking the Risk 'Mandatory in consequence selection checkbox' it will define a risk category as a mandatory entity needing this user to select a consequence rating for the risk type. 

  • STEP 9: If the Risk Appetite feature is enabled for you, this area will have an additional column 'Appetite Benchmark' available showing all appetite criteria values you have added at 'Criteria' section above. You will be able to select and assign a benchmark value for each category. 


Treatment

This settings page lets you define the risk treatment values and select the appropriate risk categories a treatment is available for.

  • STEP 1: To set up risk treatments, click the 'Treatment' tab.

  • STEP 2: Type in a name and description in the text boxes provided.

You can also enter a sort order which will determine the position this item will appear in the listing.

You can also select a risk category which when selected as the primary risk category within an assessment will offer the corresponding Treatment option. The 'Show In All' option will display the treatment for all risk categories.

  • STEP 3: Click the 'Add' button to save details.
Note: Use the adjacent 'Edit' button or 'Delete' button to delete a saved record.


Sequence

This settings page lets you set a sequence numbering system for risk types. Further, you may set the generated auto numbering to be editable or non-editable, and add a prefix, start number, and a suffix for the sequence.

  • STEP 1: Click the 'Sequence' tab.

First decide whether the numbering system you define should apply to all risks or whether you want to define different numbering systems for each risk type. If you chose the former, the next dropdown will be greyed out.

However, if you opted to define different numbering systems for each risk type, the next dropdown will allow you to select each one in turn to configure the options individually.


  • STEP 2: Next select the Risk Sequence Type and specify whether it can be edited once a number is generated.
  • Strict Sequential Numbering: Means that the Risk Codes will be non-editable, and strict on the numbering sequence.
  • Editable Sequential Numbering: Means that the Risk Codes will be editable, however the sequence will still be automatic.

  • STEP 3: Enter a prefix, suffix, and a start number for the numbering to proceed sequentially. Note: if you have no risks created in the system already, it should default to 1, otherwise it will count up the number of risks you have in the system, and default for the next number in line to start the next risk sequencing.

  • STEP 4: Click the 'Save' button at the top to save details.

If you opted to define separate numbering systems for the different risk types, make sure you repeat this process for each one.


Risk Review Commentary

This settings page lets configure risk review comments for risk types. For Operational and Corporate risk types, configure the risk comment fields, displayed within the Risk Review tab. Strategic and Project risk type Risk Review fields can be configured via the Field Configuration settings page.

Four fields are available:

1. Risk Owner Comments (default editable)

2. Previous 6 months highlights (default not visible)

3. Management Comments (default not visible)

4. Next 6 months planned activities (default not visible)

  • To edit, click on the 'Edit' button. From here you can change the Risk Review rules to be Editable, Not Visible and Read only.
  • When configuration is set to ‘Editable’ or ‘Read Only’, fields will be appear in Risk Review screen, My Quick Update and the Risk tab in EIS.
  • The position will determine the order in which the comment fields will appear in the Risk Review screen. 


Consequence Table

This settings page lets you define the consequence rating descriptions for each risk category. Common categories for risk types will share the same consequence descriptions.

  • STEP 1: Click ‘Consequence Table'.

  • STEP 2: Select the risk type from the ‘select risk type’ dropdown.

  • STEP 3: Click inside each cell and type in any text as needed.

Click on the ‘Maximise’button in order to maximise the screen for data input:

  • STEP 4: Click the 'Save' button to save details.

This will appear in the assessment areas when assessing the criteria:

Notes:
  • Based on the settings you have enabled, one or more consequence ratings can be selected and saved.
  • If multiple ratings are selected, when calculating the risk rating, the consequence selected with the highest value is considered.


Likelihood Table

This settings page lets you update descriptions for defined likelihood ratings.

  • STEP 1: Click 'Likelihood Table'. Likelihood ratings defined within the Criteria area are listed on the left.

  • STEP 2: Click the 'Edit' button and type in a description in the adjacent text boxes.

This will appear in the assessment areas as follows when assessing the criteria:


Risk Templates

This settings pages lets you define risk templates with details that can be utilised during a risk setup common across the organisation, when creating large number of assessments. Additionally, you can duplicate or remove a template from the list.

  • STEP 1: Click ‘Risk Templates'.

  • STEP 2: Click the 'New' button icon to create a new risk template.
  • STEP 3: Define a name for your template and enter all data that will be common to the risks your users will be creating.
Note: The template is only restricted to these fields that are displayed currently.

  • STEP 4: Click the 'Save' button to save details.

Within risk assessments, this appears as a button which pops up a window to display the available templates when clicked. Users can click on the desired template to make their selection which will populate their blank risk assessment with data.

You can duplicate the existing template by clicking the 'Duplicate' button. To delete, click on the 'Delete' button.

Note: This area will be improved and enhanced in the future via Camms.Risk roadmap to reflect the field configurations you set up via Field Configuration under Risk Settings.


Legislation & Business Process

These settings pages lets you define legislations and business processes respectively, which can be linked to risks within risk assessments and used for filtering and reporting purposes.

Within risk assessments, users will have the ability to select a Legislation and/or Business Process that the risk applies to via a dropdown list which can appear on the initial, current/revised or future risk assessment tabs depending on your organisational preference. However, the field must be enabled within the ‘Field Configuration’ section – these menu items allow you to define the list items in the dropdowns.

  • STEP 1: Click 'Legislation' or 'Business Process' tab as appropriate.


  • STEP 2: Type in a name and description in the text boxes provided.
  • STEP 3: Specify the position it should appear in the relevant dropdown list in the Risk Assessment area.
  • STEP 4: Click the 'Add' button.

Note: The fields must be configured within the Field Configuration area. See article Risk Settings – Field Configuration for details.


Field Configuration

Please see article Risk Settings – Field Configuration for details on this configuration.


Review Frequency

This settings page lets you define review frequency types available for selection in the risk review tab, to generate the next review date and for review email notifications to be sent out. The type will decide what kind of frequency it is (weekly, monthly, etc.) and the type count will decide the number of times the review is done for the selected type.

Additionally, the risk frequency can be automated based on the risk type (once it is configured by the Administrator).

  • STEP 1: To set up frequencies, click the 'Review Frequency' menu item.
  • STEP 2: You can select how the 'Next Review Date' (NRD) is calculate based on two options.
    • Review Due Date (set by default): This option will calculate the NRD as [Previous NRD + Review Frequency].
    • Actual Review Completion Date: This option will calculate the NRD as [Current Date + Review Frequency].
      Example: The Previous Next Review Date is populated as 20-May-2021 and Review Frequency is Monthly. You do the review on 05-Jul-21.
      • Review Due Date option: The new NRD will populate as 20-May-21 + 1 month = 20-Jun-21.
      • Actual Review Completion Date option: The new NRD will populate as 05-Jul-21 + 1 month = 05-Aug-21.
      See article Risk Assessment under section 'Risk Review' for details on how this will be implemented.
  • STEP 3: To define a new frequency, enter a 'Name' and select the frequency 'Type' (whether it is reviewed weekly, monthly or quarterly, etc).
  • STEP 4: Specify the ‘Type Count’ and the 'Position'.
    ‘Type Count’ indicates how often a review needs to happen as per the frequency type. If the ‘type count’ is 1 for frequency type ‘Week’ then reviews must occur once a week. The position indicates the sequence this item appears within the dropdown selection in the ‘Risk Review’ tab of Risk Assessments.
    You can set the frequency as ‘Active’ by ticking the box. Only active frequencies will be made available for selection.
  • STEP 5: Click the 'Add' button at the bottom.
  • STEP 6: Click the 'Save' button at the top of the page to save details.
Note: Additionally, you can set the default selection of the Review Frequency to be displayed in the Risk Review screen from the Administration > Configurations area.


Register Configuration

This settings page lets you customise and configure fields displayed in the different registers. Change label names of fields, visibility of fields, searchability in register filters, and sequence displayed in the register. 

The following register types will be available to be configured via this settings page:

  • Strategic/Operational/Project/Corporate Risk Registers
  • Risk Dashboard Popup
  • Risk Control Register
  • Recommendation Dashboard Popup (for Camms.Risk Audit users)
  • Incident Dashboard Popup (for Camms.Risk Incident users)
  • EIS Register
  • Control Dashboard Popup
  • Compliance Dashboard Popup (for Camms.Risk Compliance users)
  • Action Dashboard Popup


Select which register type you wish to configure from this Register Type dropdown at the top. A list of selected standard and custom fields are available under each risk type. The below properties can be set for each column or filter in these registers.

Setting NameFunction
Field NameShows the name of the field which you can enable to show in your registers as a column and/or filter.
Note: The 'RiskCategory' field will include all entries from both 'Primary Risk Category' and 'Sub Categories and Secondary Categories' fields in the register filter if configured to be searchable, and will display the primary category in the register if configured to be visible. 
Label ReferenceEnable the field name to be changed to a preferred label.
VisibleDetermines the visibility of the field as a column in the register.
SearchableDetermines the visibility of the field as a filter in the register.
SequenceDetermines the order in which the columns appear in the register, lowest to highest going from left to right.
WidthDetermines the width of each column in the register.


Custom Lists

This settings page lets you define a set of custom dropdown lists here if your organisation requires additional fields to be displayed in risk assessment pages. Once defined, rename and enable it via the Field Configuration settings area.

In order to define a customised dropdown list:

  • STEP 1: Click the 'Custom Lists' tab.

This will take you to a screen which will show a list of Custom Lists.

  • STEP 2: Choose the specific Custom List which you want to customise, based on the field setup within Field Configuration.

A list will appear enabling you to add/amend the List item and Sequence. Update the information according to the way you wish to customise the list.

  • STEP 3: The customised lists (selection items) are now setup.

You can amend the name of the list and enable if it should appear on Risk Assessment screens as you wish.

Example: If you have CustomListField5 enabled within the Field Configuration area, you can add in the list items under CustomListField5 within Custom Lists.


Control Type Configuration 

The ‘Control Type’ which is a standard control field will be available here. Visibility of this field will display only when ‘Risk Control’ feature is activated. Both the existing and new custom lists can be used for both Control and Risk areas. The newly available 10 Custom Lists will be included in the risk field configuration (except for control type). 

To enter in the list items, click on the custom list title and the list items will show on the right hand side. You can then start building the list items by entering the description, sequence and then clicking ‘Add’ to add it to the table.


Heatmap Settings

This settings page lets you enable the heatmap dashboard tab to be displayed in the Risk Analysis page.

To enable the heatmap dashboard tab, tick the checkbox next to the setting 'Enable Heatmap' and click the 'Update' button.



Custom Hierarchy Lists

This settings page lets you define the contents for custom dropdown lists configured within any custom hierarchies used in the system.

Using Camms.RiskUsing Camms.Strategy
Flex Hierarchy Enabled
Custom Hierarchy Lists shown in Camms.Risk
Yes
NoNo
NO
Yes
Yes
No
NO
Yes
Yes
Yes
NO (Configured in Camms.Strategy via Menu > Administration > Configurations > Custom Hierarchy Lists)
Yes
No
Yes
YES

To define a custom dropdown list in custom hierarchies:

  • STEP 1: Select the custom list for the relevant hierarchy in the left panel.
  • STEP 2: Click on the 'Add New List Item' button in the right panel.
  • STEP 3: Enter a List Item and click 'Insert'.

To edit a custom dropdown list in custom hierarchies:

  • STEP 1: Select the custom list for the relevant hierarchy in the left panel.
  • STEP 2: Click on the 'Edit' button next to the List Item you wish to edit in the right panel.
  • STEP 3: Edit the sort order or list item and click 'Update'.

To delete a custom dropdown list in custom hierarchies:

  • STEP 1: Select the custom list for the relevant hierarchy in the left panel.
  • STEP 2: Click on the 'Delete' button next to the List Item you wish to delete in the right panel.
  • STEP 3: Click 'OK' in the confirmation window.